How to Detect Inactive Users in Azure Active Directory
Security awareness is crucial for every company. Every startup, firm, or enterprise organization, must stay on top of a wide variety of safety procedures in order to securely grow and remain protected from an increasing number of threats, both internal and external. At the heart of your security and access process in Azure is the Active Directory, and as part of our recent ISO 27001 certification, we implemented the following best practices for detecting inactive users within Azure Active Directory.
This article will provide a step-by-step guide to how it’s done, including streaming the sign-in logs to a Log Analytics Workspace and creating an alert based on a Log Analytics query.
Before you Begin:
To use this feature, you will need:
1. An Azure subscription. If you don’t have an Azure subscription, you can sign up for a free trial
2. An Azure AD tenant.
3. A global administrator or security administrator user set up for the Azure AD tenant.
4. A Log Analytics workspace in your Azure subscription. Learn how to create a Log Analytics workspace.
5. Azure AD Premium P1 or P2 tenant.
Streaming the Sign-in Logs to a Log Analytics Workspace
Start by signing in to the Azure portal. Select Azure Active Directory, followed by Diagnostic settings, and then click on Add diagnostic setting. You can also select Export Settings from the Audit Logs or Sign-ins page to get to the diagnostic settings configuration page.
In the Diagnostic settings menu, select the Send to Log Analytics workspace check box, and then select Configure. You’ll now be able to choose the Log Analytics workspace you want to send the logs to or create a new workspace in the provided dialog box.
Don’t forget to check the box SignInLogs. All other boxes are optional, and then click save.
Wait about 15 minutes, then verify that events are streamed to your Log Analytics workspace.
Create an Alert based on a Log Analytics Query
Go to Monitor > Logs, and then Copy the following query to the query box. This will count the number of users who have not been logged into Azure/365 service for 14 days. You can customize the period of time-based on your own unique security preferences.
SigninLogs
| summarize max(TimeGenerated) by Identity
| where max_TimeGenerated <= ago(14d)
| count
· Select New Alert Rule.
· Select the condition Name:
A box will pop up from the right, and you’ll need to fill in the following details:
· Alert Logic:
o Based on — Number of results
o Operator — Greater than
o Threshold — 0 (In this scenario every time there is one or more users that have not been logged in the last 14 days, you will be notified)
· Evaluated based on (In this scenario the alert runs once a day):
o Period — 1440 (The time span over which to execute the above query)
o Frequency — 1440 (The frequency on how often the query should be run)
You can now click on Done.
Next, you’ll want to add action groups. Select the Add action groups option highlighted below.
Next, select Create action group:
Under Project details, select the Subscription and Resource group in which the action group is saved. Then, under Instance details you can enter an Action group name and a Display name. The display name is used in place of a full action group name when notifications are sent using this group.
How to Configure Notifications
You’ll now want to choose the way that you receive notifications, so that you can stay on top of your alerts on inactive users. Click the Next: Notifications > button or the Notifications tab to navigate to the notifications screen.
You can now define a list of notifications to send when an alert is triggered. Provide the following for each notification:
· Notification type: Select the type of notification you want to send. The available options are:
· Email Azure Resource Manager Role — Send an email to users assigned to certain subscription-level ARM roles.
· Email/SMS/Push/Voice — Send these notification types to specific recipients.
· Name: Enter a unique name for the notification.
· Details: Based on the selected notification type, enter an email address, phone number, etc.
· Common alert schema: You can choose to enable the common alert schema, which provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor.
How to Configure Actions
Your next step is to define the list of actions that you want to be triggered when an alert is sent. Head to the actions screen by clicking Next: Actions > or clicking on the Actions tab directly. Provide the following for each action:
· Action type: Select Automation Runbook, Azure Function, ITSM, Logic App, Secure Webhook, Webhook.
· Name: Enter a unique name for the action.
· Details: Based on the action type, enter a webhook URI, Azure app, ITSM connection, or Automation runbook. For ITSM Action, additionally specify Work Itemand other fields your ITSM tool requires.
· Common alert schema: You can choose to enable the common alert schema, which provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor.
Note: Optionally, you can explore the Tags settings under Create Action Group. These let you associate key/value pairs to the action group for your categorization and is a feature available for any Azure resource.
Click Review + create to review the settings. This will do a quick validation of your inputs to make sure all the required fields are selected. If there are issues, they’ll be reported here. Once you’ve reviewed the settings, click Create to provision the action group.
You can also set up your email subject line, to make sure you’ve chosen the right text to get the attention for this notification. Select Email Subject under Customize Actions. A good example could be ‘Inactive user detected’:
Additional Alert Rule Details
Under Alert rule name you’ll need to specify a name for this alert. For example, it could be named ‘Inactive user detected’. Describe a clear meaning of the alert and action items. A good example is: “This alert is to notify that the last time a certain user (or multiple users) has logged in was 14 days ago.
Detecting the User
In order to detect the user perform the following steps:
1. Get to Azure Monitor:
https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview
2. Run the following query:
SigninLogs
| summarize max(TimeGenerated) by Identity
| where max_TimeGenerated <= ago(14d)
This is the same as the query that is conditioned in the alert rule but without the count command.
Once found, the recommendation is to save the alert, and block the user access, shoring up your security posture on Azure, and reducing your chances of unauthorized access to the network.
